The case for law firms to update their security

Given the volume of sensitive and valuable data they hold, law firms need to ensure they have the security practices in place to stand up to the interrogation they will face from cybercriminals.

By Tim Ferguson

Thu 8 Nov 2018 @ 15:00

Law firms help businesses and individuals navigate their way through the complex legal systems that govern how we live, do business and protect society.

Due to their crucial function, these organisations hold huge amounts of sensitive and valuable data that could be misused if it falls into the wrong hands. Whether it’s information on company acquisitions, intellectual property, or personal wealth and divorce details, this is all data that clients will want protected.

Unfortunately, the security practices of many law firms are behind the curve compared to other industries, with some guilty of neglecting security best practice. This is all the more worrying when you consider the interest cybercriminals are taking in law firms.

In 2015, it was estimated that 62 per cent of law firms were a victim of a cyberattack, while the Information Commissioner’s Office reported a 32 per cent increase in data breaches in the legal sector in the same year. Despite this, Law Journal Newsletters reported that just a third of respondents have no incident response plan.

When cyberattacks launched against law firms are successful, they have the potential to cause huge damage both to their clients and their own organisational reputations.

Just think of global firm Cravath Swaine & Moore – known for representing Disney when the entertainment company acquired 21st Century Fox, and Time-Warner when it acquired AT&T – which hit the headlines when it suffered a data breach in 2016.

Then there is the Panamanian firm Mossack Fonseca, which was at the centre of the huge Panama Papers leak, which revealed the offshore tax arrangements of numerous famous individuals, including many politicians. According to one of its founders, the firm was forced to close more than three dozen offices around the world after losing 11.5 million records in the breach.

Reputation goes a long way in the legal sector, and if existing or potential clients see their law firm as a weak link in terms of keeping their data secure, they will go elsewhere. There can also by financial costs for firms deemed to have been at fault for a data leak, with liability claims made by clients.

Losing clients and revenue as the result of a breach could even be enough to threaten the very survival of smaller firms.

Law firms also need visibility of what users are doing with critical data across the organisation. If a user shares sensitive data on an online storage platform, for example, they would be failing to safeguard data in the appropriate way and likely to be violating protocols.

With all of this to contend with, law firms can’t afford to be left behind in terms of cybersecurity capabilities. They need to put the latest technology in place to prevent compromises becoming breaches that cause significant damage.

First and foremost, law firms need to maintain good IT hygiene to ensure out-of-date software with known vulnerabilities isn’t allowed to persist – as happened at Mossack Fonseca. Firewall and intruder prevention are useful, but in such a complex cybersecurity landscape these are bound to be compromised at some point.

Security information and event management (SIEM) can help by bringing together security data from across organisations to provide a complete picture of security-related activity within networks. This helps security teams prioritise the alerts they receive for further investigation, bringing badly-needed efficiencies for overstretched security teams.

There will always be malicious insider threats, with people acting for financial gain, corporate espionage or merely because they are disgruntled with their employer. Law firms should therefore make use of user entity and behaviour analytics (UEBA) to detect unusual activity and either flag it for response or automatically take action to contain it.

As well as better security systems, law firms also need to minimise the risk presented by staff mistakes. After all, staff duped by phishing attacks were behind the breaches at Mossack Fonseca and Cravath Swaine & Moore.

Law firms must therefore ensure their security culture is communicated, taught, monitored and reinforced. This awareness-building should take place all the time and employ tactics such as gamification.

If law firms are to avoid finding themselves in the dock, they need to put the latest security tools and practices in place sooner rather than later.